Both Mozilla and Google have made the move much earlier than expected. According to Google’s Lucas Garron, the head of Chrome security, has stated the following concerning the company’s decision to move to a much more secure algorithm: Websites that have a SHA-1-based signature will begin to trigger a fatal network error. From July 1, 2016, the Chrome browser will start to block websites that rely on the SHA-1 certificate. Our earlier report suggested that even Facebook predicts that between 3 and 7 percent of all web browsers will be too obsolete to use SHA-2. SHA-1 offers several security measures over its predecessor. However, SHA-1 is omnipresent in developing and in third world countries, where individuals have limited to no knowledge about web security at all. Additional statistical data suggests that SHA-2 is supported by at least 98.31 percent of browsers worldwide, and the remaining 1.69 percent comprises up of 37 million people. As we announced on our security-dev mailing list, Chrome 48 will also stop supporting RC4 cipher suites for TLS connections. This aligns with timelines for Microsoft Edge and Mozilla Firefox. For security and interoperability in the face of upcoming browser changes, site operators should ensure that their servers use SHA-2 certificates, support non-RC4 cipher suites, and follow TLS best practices. In particular, we recommend that most sites support TLS 1.2 and prioritize the ECDHE_RSA_WITH_AES_128_GCM cipher suite. We also encourage site operators to use tools like the SSL Labs server test and Mozilla’s SSL Configuration Generator.” CloudFlare also states that the cost to continue SHA-1 generation would reach to about $700,000, but will gradually decrease overtime since more and more websites will begin to adopt SHA-2 certificates.
